On Thu, 2003-02-13 at 02:13, Tony Earnshaw wrote: > ons, 2003-02-12 kl. 22:32 skrev Chris Toshok: > > > > > Perhaps someone could actually try to assist us in figuring out what is > > > > wrong here. I'd like to continue to use EVO, but, I need access to my > > > > company LDAP. > > > > Hmm, I didn't receive this mail that Tony's responding to... private > > mail? > > No, it was posted to the list. Had it been private, I'd have forwarded > it.
Strange, I don't remember seeing it... *shrug*, not important. > > Anyway, I investigated this a little the last time you (David) sent mail > > about it back in December I think? There wasn't much that could be > > determined from my end here.. "openssl s_client" prints out the cert > > fine, but ldapsearch hangs, just like evolution does. The error the > > wombat printed out was 0x55 (LDAP_TIMEOUT), which is the same behavior > > as the command line tool. This might be some failing with openssl, I > > don't know. > > ldapsearch should never hang, but return a result - whatever that is. > There's a list of errors in ldap.h as long as your arm to cope with all > ldap eventualities (not poorly configured DNS or the like, though). In conditions where it's possible to induce a hang, ldapsearch will *always* hang unless you give it an explicit timeout. It defaults to infinite wait. but that doesn't matter, as it turns out in this instance i was just being stupid and using -ZZ on the command line instead of -H ldaps://.... I get the successful (but empty) search with that. It's troubling that I have essentially the same set up here (SSL/TLS set to Always, port set to 636 - I don't even allow connections on 389 on this particular box) and it works fine for me. > > We just call ldap_start_tls and hope for the > > best. > > That bit made me smile :-) It's possible to debug in detail at the > server end, and if one's running Openldap clients like ldapsearch, > they can be run at the same debug levels as slapd. yeah. actually there's code in the ldap backend to enable debugging but it doesn't appear to be working. hrm.. My point with the above line was that we can't do all the nice stuff the mailer can wrt self signed certs, popping up dialogs, asking for user confirmation and all that. There's no way we can recover from what the ldap library considers to be a fatal error, or (as far as I can tell, please correct me if I'm wrong) cause a connection to fail because of what we/the user considers a fatal error. We're stuck with the openldap client lib's policy decisions. Chris _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
